The list of trusted root certificates can be specified at build time using the TRUST= build parameter. If no certificates are specified, then the default iPXE root CA certificate is trusted.

If no certificates were explicitly specified, then we allow the list of trusted root certificate fingerprints to be overridden using the "trust" setting, but only at the point of iPXE initialisation. This prevents untrusted sources of settings (e.g. DHCP) from subverting the chain of trust, while allowing trustworthy sources (e.g. VMware GuestInfo or non-volatile stored options) to specify the trusted root certificate without requiring a rebuild.